Denial of service (DOS) attacks are on the increase. A DOS attack is one where one or more fictitious network clients repeatedly contact a server in an apparent attempt to communicate with the server. Generally, a server allocates server resources to address an incoming connection. Typically, a server maintains a limited buffer for storing information about a connecting client during a handshaking exchange of messages for setting up a communication session with the client. However, during an attack, the handshaking is never completed by the fictitious network clients, and therefore the server's resources are not released, until, perhaps, a handshaking time out occurs. By rapidly sending fictitious connection attempts, the servers' limited buffer for incoming connections can be overwhelmed, thus causing legitimate connection attempts to be rejected.
Such an attack may be made with respect to any communication protocol in which a server allocates resources. However, such attacks are typically seen with respect to the Transmission Control Protocol (TCP)/Internet Protocol (IP), as this is the most common networking protocol in use today. For example, FIG. 1 illustrates establishing conventional TCP/IP communication session. TCP/IP is designed to ensure robust data delivery. Thus, both sides to a communication session are required to keep session state and both transmit and receive acknowledgement packets.
To initiate a TCP/IP communication session, a valid client 100 sends 104 a server 102 a synchronization (SYN) packet to indicate the desire to communicate. The SYN packet also contains the client's Initial Sequence Number (ISN), which the server needs for sequencing fragmented data received from the client. The server allocates resources in its limited buffer for the incoming connection, and then sends 106 the client a synchronization/acknowledgement (SYN/ACK) packet. This SYN/ACK acknowledges the SYN packet sent by the client by setting the ACK number to be the Clients ISN+1, and also includes the server's own ISN (usually a randomly generated number by the server). In response, the client then sends 108 the server an acknowledgement (ACK) packet, which again is typically the server's ISN+1. These three operations are collectively referred to as the TCP/IP three-way handshake, and only when all three operations are completed, is a TCP/IP communication session established between the client and the server.
FIG. 2 illustrates a typical DOS attack. An invalid client 200 (or multiple different clients) sends 204 a SYN packet to a server 202. As discussed above, the server then allocates resources for establishing a communication session, and responds 206 with a SYN/ACK packet. Typically the source address for the SYN packet is forged so that the server's SYN/ACK reaches a non-existent client. If the forged address exists, a reset will be sent by that machine in response to the server's SYN/ACK since it had not initiated the connection, resulting in the connection being closed. Consequently, in most attacks, an attacker ensures the forged address either does not exist or is a victim in another attack which is using up its resources so that a real client will not send a TCP Reset message and close the TCP session. The attacker continues to send 208, 212 such TCP messages with forged addresses to the server and at such a rapid rate that the server allocates resources 210 until it runs out of resources 214 for establishing any more communication sessions. Thus, legitimate TCP connection attempts fail, denying service to real users.